nitkkr/middleware.ts at master · nitkkr-dev/nitkkr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
import { match } from '@formatjs/intl-localematcher';
import Negotiator from 'negotiator';
import { type NextRequest, NextResponse } from 'next/server';

const locales = ['en', 'hi'];

// In-memory rate limiting (resets on cold start)
const rateLimit = new Map<string, { count: number; timestamp: number }>();
const WINDOW_MS = 60 * 1000;
const MAX_REQUESTS_PAGE = 60; // Pages: 60 requests per minute
const MAX_REQUESTS_API = 30; // API: 30 requests per minute (stricter)

function getClientIp(request: NextRequest): string {
  return (
    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ??
    request.headers.get('x-real-ip') ??
    'unknown'
  );
}

function checkRateLimit(
  key: string,
  maxRequests: number
): { limited: boolean; remaining: number } {
  const now = Date.now();
  const record = rateLimit.get(key);

  if (!record || now - record.timestamp > WINDOW_MS) {
    rateLimit.set(key, { count: 1, timestamp: now });
    return { limited: false, remaining: maxRequests - 1 };
  }

  if (record.count >= maxRequests) {
    return { limited: true, remaining: 0 };
  }

  record.count++;
  return { limited: false, remaining: maxRequests - record.count };
}

// Suspicious bot patterns (allow legitimate crawlers)
const suspiciousPatterns = [
  /bot(?!.*googlebot|.*bingbot|.*yandexbot|.*duckduckbot|.*slurp|.*facebookexternalhit|.*linkedinbot|.*twitterbot)/i,
  /crawler(?!.*googlebot)/i,
  /spider/i,
  /scraper/i,
  /curl/i,
  /wget/i,
  /python-requests/i,
  /python-urllib/i,
  /node-fetch/i,
  /axios/i,
  /^$/,
];

function isSuspiciousUserAgent(userAgent: string): boolean {
  return suspiciousPatterns.some((pattern) => pattern.test(userAgent));
}

function getPreferredLocale(request: NextRequest): string {
  const defaultLocale = 'en';
  const languages = new Negotiator({
    headers: {
      'accept-language': request.headers.get('Accept-Language') ?? '',
    },
  }).languages();

  return match(languages, locales, defaultLocale);
}

export function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;
  const ip = getClientIp(request);
  const isApiRoute = pathname.startsWith('/api');

  // --- API ROUTES: Stricter protection ---
  if (isApiRoute) {
    const { limited, remaining } = checkRateLimit(
      `api:${ip}`,
      MAX_REQUESTS_API
    );

    if (limited) {
      return NextResponse.json(
        { error: 'Too many requests. Please try again later.' },
        {
          status: 429,
          headers: {
            'Retry-After': '60',
            'X-RateLimit-Limit': String(MAX_REQUESTS_API),
            'X-RateLimit-Remaining': '0',
            'X-RateLimit-Reset': String(Math.ceil(Date.now() / 1000) + 60),
          },
        }
      );
    }

    // Block suspicious user agents on API routes
    const userAgent = request.headers.get('user-agent') ?? '';
    if (isSuspiciousUserAgent(userAgent)) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
    }

    // API routes don't need locale handling
    const response = NextResponse.next();
    response.headers.set('X-RateLimit-Limit', String(MAX_REQUESTS_API));
    response.headers.set('X-RateLimit-Remaining', String(remaining));
    return response;
  }

  // --- PAGE ROUTES: Standard protection ---
  const { limited } = checkRateLimit(`page:${ip}`, MAX_REQUESTS_PAGE);

  if (limited) {
    return new NextResponse('Too Many Requests', {
      status: 429,
      headers: {
        'Retry-After': '60',
        'Content-Type': 'text/plain',
      },
    });
  }

  // Block suspicious user agents
  const userAgent = request.headers.get('user-agent') ?? '';
  if (isSuspiciousUserAgent(userAgent)) {
    return new NextResponse('Forbidden', { status: 403 });
  }

  // Locale handling
  const pathnameHasLocale = locales.some(
    (locale) => pathname.startsWith(`/${locale}/`) || pathname === `/${locale}`
  );

  if (pathnameHasLocale) return;

  const preferredLocale = getPreferredLocale(request);
  request.nextUrl.pathname = `/${preferredLocale}${pathname}`;

  return Response.redirect(request.nextUrl);
}

export const config = {
  matcher: [
    // API routes - rate limiting and bot protection
    '/api/:path*',
    // Page routes - rate limiting, bot protection, and locale redirect
    {
      source: '/((?!_next/static|_next/image|favicon.ico).*)',
      missing: [
        { type: 'header', key: 'next-router-prefetch' },
        { type: 'header', key: 'purpose', value: 'prefetch' },
      ],
    },
  ],
};